[156006] in North American Network Operators' Group
Re: Blocking MX query
daemon@ATHENA.MIT.EDU (William Herrin)
Tue Sep 4 08:06:15 2012
In-Reply-To: <CA+Nv4GC8QGiOGnmFJGDH95MpnxNyUCdwMT3WrBz+7Bj5vDtmsg@mail.gmail.com>
From: William Herrin <bill@herrin.us>
Date: Tue, 4 Sep 2012 08:05:06 -0400
To: Ibrahim <ibrahim1@gmail.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Tue, Sep 4, 2012 at 6:07 AM, Ibrahim <ibrahim1@gmail.com> wrote:
> I've read old archive about blocking SMTP port (TCP port 25). In my current
> situation we are mobile operator and use NAT for our subscribers and we
> have few spammers, a bit difficult to track it because mostly our
> subscribers are prepaid services. If we block TCP port 25, there might be
> "good" subscribers will not be able to send email.
Hi,
There are no "good" subscribers trying to send email direct to a
remote port 25 from behind a NAT. The "good" subscribers are either
using your local smart host or they're using TCP port 587 on their
remote mail server. You may safely block outbound TCP with a
destination of port 25 from behind your NAT without harming reasonable
use of your network.
> We are thinking to block MX queries on our DNS server, so only spammer that
> use their own SMTP server will got affected. All DNS queries from our
> subscribers already redirected to our DNS cache servers. But seem Bind
> don't have feature to block MX query. Any best practice to block MX query?
Best practice is: don't mess with the DNS.
I don't know if any resolver software supports what you want to do
here. If it does, I don't know what the repercussions are likely to
be. I do know that historically, altering DNS results has proven
problematic. For example, returning an A record for your search server
in place of no-host responses wreaks all manner of havoc.
I also doubt the efficacy of the method. Were this to become common
practice, a spammer could trivially evade it by using his own DNS
software or simply pumping out the address list along with
pre-resolved IP addresses to deliver the mail to. For all I know, they
already do.
Regards,
Bill Herrin
--
William D. Herrin ................ herrin@dirtside.com bill@herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004
